Computer SecurityResource Center

Mobile applications have become an integral part of our everyday personal and professional lives. As both public and private organizations rely more on mobile applications, securing these mobile applications from vulnerabilities and defects becomes more important. The level of risk related to vulnerabilities varies depending on several factors including the data accessible to an app. For example, apps that access data such as precise and continuous geolocation information, personal health metrics or personally identifiable information (PII) may be of higher-risk than those that do not access sensitive data. In addition, apps that depend on wireless network technologies (e.g., Wi-Fi, cellular, Bluetooth) for data transmission may also be of elevated risk since these technologies also can be used to steal information remotely.

Draft NIST Special Publication (SP) 800-163 Revision 1, Vetting the Security of Mobile Applications,defines the app vetting process—a software assurance method for mobile applications. Revision 1 updates this publication to address changes in the mobile landscape. Guidance has been expanded to better define the app vetting process as a whole, while providing greater detail about the roles, capabilities, and strategies of mobile application testing. Security requirements and references have been added to aid organizations in defining their own app vetting policy. Finally, a brief discussion of the mobile app threat landscape is included to better contextualize the need for app vetting.

Comments on Draft SP 800-163 Rev. 1 are due September 6, 2018, and may be sent to nist800-163@nist.gov with “Comments on Draft SP 800-163 Rev. 1” in the Subject field.